|

AI-Assisted Hacker Breaches 600+ FortiGate Firewalls Across 55 Countries: What Happened and How to Defend Right Now

ByInnoVirtuoso

What happens when a novice cybercriminal gets an AI co‑pilot? In this case: a global smash-and-grab across more than 600 FortiGate devices, spanning 55 countries, executed in just a few weeks—and powered in part by off-the-shelf generative AI.

According to reporting from Amazon Threat Intelligence, surfaced by The Hacker News, a Russian-speaking, financially motivated actor orchestrated a scaled campaign between January 11 and February 18, 2026, leaning on AI for everything from attack planning to command generation and network pivoting. The result wasn’t a sophisticated zero-day exploit. It was something more unsettling: the industrialization of “good enough” cybercrime at speed and scale.

If you run Fortinet gear—or any internet-exposed network devices—this is your wake-up call. Below, we unpack what happened, why it matters, and what to do in the next 24 hours, 7 days, and 30 days to stay out of the blast radius.

The 60-Second Brief

  • A financially motivated, Russian-speaking threat actor compromised 600+ FortiGate devices across 55 countries in about five weeks.
  • AI tools reportedly handled planning, tool development, command generation, and operational decision-making—letting a small team (or even a solo operator) punch far above its weight.
  • Targets weren’t chosen for who they are but how exposed they were: weak credentials, internet-exposed management ports, and under-hardened deployments.
  • Post-breach activity went beyond firewall tampering: pulling configs to harvest credentials/topology, moving toward Active Directory, credential databases, and backup systems—classic ransomware staging.
  • Publicly exposed attacker infrastructure revealed victim data and custom tools, including a Go-based VPN scanner (“CHECKER2”) and an MCP server (“ARXON”) coordinating workflows.
  • AI choice matters: researchers saw evidence of DeepSeek for recon/planning and Anthropic’s Claude for vulnerability assessments and tool execution—echoing broader research that generative AI is accelerating cybercrime operations.
  • The actor abandoned hardened targets and moved on—a powerful reminder that even basic controls can turn AI-enhanced adversaries away.

Source: The Hacker News coverage, summarizing Amazon Threat Intelligence; independent research by Cyber and Ramen.

Inside the Campaign: A Rapid, AI-Enabled Assembly Line

Timeline and Tactics

  • Window: January 11–February 18, 2026
  • Scale: 600+ FortiGate devices, 55 countries
  • Motivation: Financial (precursors to ransomware observed)
  • Approach: Automated scans to find systems with exposed management surfaces and weak passwords; AI-assisted planning and pivoting to turn initial footholds into broader compromises

Port activity reportedly clustered on 443, 8443, 10443, and 4443—common management and SSL-VPN ports for network devices—stemming from scanning infrastructure including IP 212.11.64.250. To be clear: these details are shared for awareness and detection context, not replication.

Once devices were in hand, attackers commonly: – Extracted configurations to harvest stored credentials and understand internal network topology – Targeted Active Directory for broader identity compromise – Sought credential databases and backup infrastructure—classic ransomware leverage points – Pivoted opportunistically; if one path was hardened, they abandoned and moved on

Why FortiGate?

FortiGate appliances are widely deployed and sit at strategic chokepoints. Over the past few years, multiple high-severity issues—particularly in SSL-VPN and administrative interfaces—have drawn sustained adversary attention. Even when fully patched, misconfigurations (like exposing admin services to the internet or relying on weak—or reused—credentials) create low-effort, high-reward entry points.

This actor didn’t reinvent the offensive wheel. They optimized the “find weak targets fast” playbook and let AI grease the wheels at every step.

The AI Toolchain in Play

Independent analysis suggests a modular, AI-orchestrated workflow: – DeepSeek for reconnaissance and attack planning – Anthropic’s Claude for vulnerability assessments and generating/evaluating offensive commands and scripts – An MCP (Model Context Protocol) server (“ARXON”) to coordinate context, tools, and steps, consistent with how the Model Context Protocol can integrate external tools – Custom utilities like “CHECKER2,” a Go-based scanner focused on VPN-accessible surfaces

Researchers also linked a prior exposure of a “HexStrike” AI framework (December 2025), underscoring that adversaries are assembling repeatable, AI-enhanced pipelines—effectively an assembly line for cybercrime.

Why This Matters: AI Is Collapsing the Skill Gap

We’re witnessing a structural shift: – Scale over sophistication: AI helps low-to-mid skill operators scale reconnaissance, scripting, and decision-making—multiplying impact with less expertise. – Speed to value: Plans, payloads, and pivots can be generated or refined in minutes, turning opportunistic scans into viable intrusions much faster. – Target fluidity: Hardened? The attacker moves on. AI makes triage efficient and impersonal at global scale. – Democratized tooling: Off-the-shelf AIs are becoming “ops copilots,” complete with workflow integration and coded extensions.

This isn’t hypothetical. Google’s threat research has repeatedly flagged the growing use of genAI across the cybercriminal lifecycle (see Google Cloud Threat Intelligence’s summary on how threat actors are using AI). The result is a world where “average” attackers move like well-oiled teams—if targets leave the doors unlocked.

What To Do Now: A Practical, Prioritized Action Plan

You don’t have to solve AI misuse overnight. You do need to close the most obvious gaps—fast. Use this 24-hour, 7-day, and 30-day plan to reduce risk immediately and build resilience against AI-amplified intrusion campaigns.

In the Next 24 Hours

  1. Lock down FortiGate administrative access – Remove public exposure of admin interfaces (HTTP/HTTPS/SSH) from the internet. Permit management only via a jump host or out-of-band network, restricted by source IP. – Enforce MFA for all administrative access. – If you must allow remote admin temporarily, whitelist trusted IPs only and enable rate limiting/lockouts.
  2. Audit and rotate credentials – Rotate administrator and service account credentials on FortiGate and connected systems (e.g., LDAP/AD bind accounts, SNMP). – Disable unused local admin accounts; enforce strong, unique passwords. Prefer passwordless or certificate-based auth where supported.
  3. Validate configurations and search for tampering – Review recent config changes: new users, policies, address objects, routes, VPN users/groups, scheduled tasks, or scripts. – Inspect logs for unusual admin logins (time, source IP, geography), excessive configuration downloads/exports, or repeated failed logins.
  4. Patch to the latest supported FortiOS release – If you’re behind, prioritize SSL-VPN and administrative interface patches. Cross-reference the CISA Known Exploited Vulnerabilities Catalog and Fortinet’s PSIRT advisories.
  5. Turn on centralized logging and alerting – Ensure FortiGate logs (auth, admin access, VPN events, config changes) flow to your SIEM/SOAR. Create immediate alerts for admin logins from unusual sources and bulk config downloads.
  6. Snapshot and back up—safely – Take secure, offline backups of clean configurations. If compromise is suspected, preserve evidence before changes and contact your IR team.
  7. Hunt for related scanning and access attempts – Review WAF/firewall/VPN logs for unusual spikes on management/SSL-VPN ports (443/8443/10443/4443) and repeated probes from singular external IPs or small clusters.

In the Next 7 Days

  1. Harden FortiGate following vendor guidance – Enforce least-privilege admin profiles; disable HTTP admin on WAN; prefer certificate-based auth for VPN; enable anti-brute-force and login lockouts. See Fortinet’s docs on securing administrator access.
  2. Reduce external attack surface – Remove or gate any internet-exposed management interfaces behind a VPN or ZTNA. – Geofence admin access; consider conditional access or device posture checks for VPN users.
  3. Strengthen identity and directory security – Deploy MFA everywhere, especially for any path to admin control planes. – Harden AD: implement tiered administration and just-in-time access. Microsoft’s Privileged Access model is a good starting point. – Rotate service account credentials and adopt managed secrets storage.
  4. Fortify backups and recovery – Protect backups with offline/immutable storage. Separate backup admin credentials from domain credentials; regularly test restores.

  5. Build detections that match this campaign’s patterns – Alerts on:

    • Admin logins from new geographies or autonomous systems
    • Repeated failed logins followed by success
    • Unusual spikes in configuration export/download events
    • New VPN users/groups or policy changes outside maintenance windows
    • Sudden creation of data exfiltration rules or unusual routing changes
  6. Validate vendor versions against high-priority CVEs – Review device inventory; patch or isolate end-of-life firmware; subscribe to Fortinet PSIRT notifications.

In the Next 30 Days

  1. Shift toward “never expose” by design – Treat network device management as a private service, not an internet app. Use out-of-band management, jump hosts, or ZTNA with device posture and SSO.
  2. Mature privileged access management – Eliminate shared admin accounts; adopt just-in-time elevation; monitor and record administrative sessions.
  3. Continuous attack surface management – Implement external attack surface monitoring to discover and remediate newly exposed services quickly.
  4. Network segmentation and blast-radius control – Restrict lateral movement from edge devices. Limit what a compromised firewall credential can reach. Use microsegmentation where feasible.
  5. Telemetry depth and retention – Ensure sufficient log retention for admin, VPN, and config change events to support multi-week investigations, matching the observed campaign timelines.
  6. Tabletop and IR readiness – Run a ransomware tabletop specifically simulating entry via a firewall/VPN device. Validate containment steps, credentials rotation, and communications tree.

Detection Ideas and Signals of Interest

Without diving into exploit-level detail, here are practical, high-level indicators and behaviors worth monitoring:

  • Admin interface access from the internet or atypical regions, especially outside business hours
  • Surges of failed logins on VPN/admin endpoints, followed by successful admin sessions
  • Configuration exports or backups initiated by unknown or newly created admin accounts
  • Creation of new VPN users/groups, unexpected policy/object changes, or new routes
  • Data egress from firewalls to unknown destinations, particularly after configuration pulls
  • Concentrated scanning traffic against management/SSL-VPN ports (443/8443/10443/4443)
  • AD anomalies shortly after a firewall incident: new domain admin grants, GPO changes, Kerberos tickets from unusual hosts
  • Backup system access from accounts that typically don’t touch it

Note: If your telemetry is thin on these signals, prioritize logging upgrades first, then detection content.

Regional Impact Doesn’t Equal Targeting

The campaign touched South Asia, Latin America, West Africa, Northern Europe, and Southeast Asia. That sounds like a focus, but the operational reality appears indiscriminate: automated scans, opportunistic compromises, and rapid shift toward “soft” targets. If you’re exposed and easy, you’re in scope—regardless of industry or region.

The Most Important Lesson: Hygiene Beats Hype

One of the most telling details: the actor abandoned hardened targets. They didn’t burn time on well-defended devices. AI let them triage the world and move on. That’s a powerful endorsement of basic, disciplined security:

  • Don’t expose management to the internet.
  • Enforce MFA and strong authentication everywhere.
  • Patch aggressively, especially on internet-facing equipment.
  • Log comprehensively and monitor for obvious anomalies.
  • Practice least privilege and segment networks to limit blast radius.

These aren’t new ideas. But the AI era punishes procrastination. When attackers can evaluate and pivot at global scale, the cost of “we’ll get to it next quarter” skyrockets.

Executive Talking Points (Share This With Leadership)

  • This was not a zero-day bonanza. It was speed, scale, and weak configurations—supercharged by AI.
  • We can materially reduce risk in days by removing exposed admin surfaces, enforcing MFA, and patching.
  • Attackers abandoned hardened assets. Basics work.
  • Detection and response maturity on identity, VPN, and config events is critical for early containment.
  • Budget asks that move the needle now: attack surface monitoring, privileged access management, log retention and SIEM tuning, and backup/DR hardening.

Useful Resources

FAQs

Q: Did the attackers use a new FortiGate zero-day? – Current reporting points to weak credentials and exposed management/VPN services rather than a novel exploit. That said, staying patched is still non-negotiable because edge devices are frequent targets for n-days and known exploited vulnerabilities.

Q: We run FortiGate. Are we automatically at risk? – Not if you’re properly hardened. The actor reportedly abandoned hardened targets. The biggest risks were exposed admin surfaces, weak/reused credentials, and lagging patches.

Q: How can I quickly check if my device is exposed? – From an external vantage (e.g., a separate network), verify whether your admin interfaces respond over the internet. Better yet, use formal external attack surface management and ensure your firewall restricts admin access to trusted networks only.

Q: Will MFA stop this kind of campaign? – MFA won’t fix vulnerable software, but it dramatically raises the bar against credential stuffing and password guessing—common in opportunistic, scaled attacks.

Q: Should I disable SSL-VPN entirely? – Not necessarily. If you depend on VPN, harden it: strong authentication (preferably certificate-based), device posture checks, geofencing, rate limiting, and strict monitoring. Consider modern ZTNA for per-app access instead of broad network tunnels.

Q: What logs should I retain for investigations like this? – Prioritize firewall/VPN authentication logs, administrative access logs, configuration change and export events, and identity provider logs. Retain at least several months to cover multi-week campaigns and late detections.

Q: We found signs of probing but no confirmed breach. What’s next? – Treat it as a near-miss. Accelerate hardening, validate patches, rotate admin credentials, and sharpen detections. Probing often precedes attempts elsewhere in your estate.

Q: Is AI making every “script kiddie” as capable as an APT? – Not exactly. AI boosts speed, scale, and problem-solving for less skilled actors, but it doesn’t instantly grant deep tradecraft. However, at internet scale, “good enough” plus AI can be devastating against weakly defended targets.

Q: Which compliance regimes does this impact? – Any with requirements for secure configurations and access controls—e.g., NIS2, HIPAA, PCI DSS, SOC 2. Exposed admin services and weak authentication will draw scrutiny in audits and incident reviews.

The Bottom Line

AI is now a force multiplier for cybercrime. But the story here isn’t unstoppable machine ingenuity—it’s avoidable human exposure. The attacker moved fast, scaled globally, and bailed when things got hard. That’s your blueprint for defense.

Close the obvious doors: – Remove public admin exposure. – Enforce MFA and strong authentication. – Patch aggressively. – Monitor and alert on admin, VPN, and config-change events. – Harden identity, backups, and segmentation to blunt ransomware pivots.

Do the basics, and do them now. In an AI-accelerated threat landscape, good hygiene is not just table stakes—it’s your competitive advantage in security.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!